Part 1 of the 2-part IPsec Series

The new Cisco Catalyst 9000X with IPsec support is finally a reality. I will quickly cover three use cases that are relevant to branch deployments. 

Cisco introduced the Catalyst 9000X series, which includes the C9300X, C9400X, C9500X, and C9600X. I will mostly focus on the C9300X which supports IPsec today as of IOS-XE 17.6.2 with Advantage licensing. The C9400X will support IPsec soon. 


Catalyst 9300X
Figure 1. Catalyst 9300X Industry first 100G Hardware Encryption and 1 Tbps stacking


The C9300X comes with a new enhanced Unified Access Data Plane (UADP) ASIC called the UADPsec.  This new ASIC allows for industry-first capabilities that allow the switch to perform up to 100G of Layer 3 hardware encryption and up to 1 Tbps of stacking.  It also helps enhance support for the application hosting capabilities common to all Catalyst platforms.



C9300X IPSec
Figure 2. C9300X IPSec capabilities with IOS-XE 17.6.2


The good news is that the C9300X supports standards-based IPv4/IPv6 IPsec (up to 128) tunnels. It also has support for NAT Traversal, Multicast routing, Layer 3 Segmentation over IPsec, Layer 2 extension over IPsec, and even EVPN over the tunnel. 



C9300X IPSec Use Cases
Figure 3. C9300X IPSec Site-to-SIG, Site-to-Cloud, Site-to-Site


So, why is this needed? If you are an SD-WAN customer, then you already have an architecture in place. The Catalyst 9300X is not meant to be an SD-WAN replacement and it is an independent solution. It is meant for customers with the intention of reducing the number of devices at the branch office. For example, removing a router and/or firewall while creating a secure tunnel connection. If so, then look no further. The Catalyst 9300X can help you achieve it.

The Catalyst 9300X can help set up multiple secure tunnels. There are three common use cases. The first is Site-to-SIG. The Secure Internet Gateway (SIG) support can be to Umbrella, Zscaler, or any other third-party provider. The second is Site-to-Cloud, which can establish a secure tunnel to your Cloud provider of choice. The third use case is Site-to-Site. The C9300X can establish a secure tunnel to your Data Center firewall, router, or even another C9300X switch. These are at least three reasons why this platform is right for you.

In my next post, I will show how to onboard the C9300X switch using Cisco DNA Center Plug and Play (PnP). In addition, I will show how to create secure tunnels to the Umbrella SIG environment. 


Learn more about the Cisco Catalyst 9300


Orestes Matos

Technical Solutions Architect

Campus Automation Center of Excellence